The Privacy Police Strikes

Right now, in the US, two of the most popular TV shows are Survivor and Big Brother, European imports where people are willingly living under the watchful eyes of TV cameras. Think of it as a real-life version of The Truman Show, where TV watchers gather to watch some people like them deal with life. The shows have already swept through Europe, leaving outrage and protest in much of those countries. However, in the US, few groups have protested the shows, most probably because the invasion of privacy is considered less flagrant in this country than it is in Europe.

At the same time, the World Wide Web Consortium has introduced the P3P, a new standard to facilitate the distribution of a web site’s privacy policy.

Implementing P3P, users could choose to visit only Web sites that promise not to track their movements or to collect personal information. Or they could decide to go to Web sites that collect personal information, like their name and address, but only if that company promises not to share that information with anyone else. The browser will take care of notifying them of each site’s policy and let them decide whether they want to opt in or out. With Microsoft and Netscape being involved in those efforts, expect the next iteration of web browsers to be P3P-compliant.

The CDT has endorsed P3P as a step in the right direction. While it stops short of saying that it is the be all end all of privacy, the CDT praised P3P as an “important opportunity to make progress in building greater privacy protections in the Web experience of the average user.”

The CDT warns, however, that P3P will not insure that companies follow privacy policy nor will it ensure data safety in countries where no data privacy law has been enabled. More critics have said that P3P was not the appropriate answer because it created a default where companies could grab any data and users had to opt out of that gathering. This, to certain consumer privacy advocates, is bad because they believe that most people will not bother with opting out (studies on opting out of any kind of data gathering have shown few people polled bothered to do so, thus giving more control to corporations). In other words, while concerns around the issue are high, most people don’t want to have to deal with it and calls for increased protection are starting to pop up on Main Street as well as in congress.

The Federal Trade Commission, which up until recently had a laissez-faire attitude towards such data gathering has now recommended that Congress enact legislation to ensure a minimum level of privacy protection for online consumers, establishing basic standards of practice for the collection of information online. The recommendation includes four basic areas of protection:

Notice: Web sites would be required to post a privacy notice telling consumers what data they gather, how they collect it, how they plan to use it and who has access to it.

Choice: users should have the right to decide how their information would be used beyond a transaction.

Access: Web sites would be forced to give consumer a chance to access the information that has been gathered about them and make modifications including deletions and corrections.

Security: Web sites would be required to take steps to protect the privacy of users in order to ensure that data would not leak out unknowingly to other sources.

These suggestions mirror the 1998 European Directive on Data Protection, which was enacted to control the use of personal information gathered on European citizens. It has already been put into law by eight of the fifteen European Union countries. Originally, the European directive does not allow American companies to gather any data on European consumers because there is a lack of protection for personal data in the United States. However, discussions between the European Union and the US department of commerce are currently under way to allow American companies some protection. Passage of the FTC recommendation into law would insure compliance and alignment between European law and American law, which would facilitate global e-commerce.

However, there are a number of issues to look at. The FTC suggestions came as the result of a recent study the commission did, which showed that only 20% of the sites they surveyed did not fail in at least one of those four areas.

I would recommend to the readers of this newsletter that they examine their own internal policy on data gathering in order to comply with such rule. I may not be a rabid consumer data privacy advocate but I believe that these rules make sense for several reasons. Our business, as Internet builders and managers, is to ensure the highest level of customer services on our web site. Data protection is a new area of customer service that we need to concern ourselves with (the FTC is a political organization and I’m sure that they have some internal pollster telling them that consumers want to see their data protected). Web sites who pioneer data protection and develop strong rules internally will benefit greatly as consumers will feel more comfortable in their dealings with them. Beyond that, data protection is one of the fundamental pillars on which expansion into foreign markets lies. When I was working at Boo.com, one of the things that we worked on diligently was compliance with the many European data laws. As a result, we ended up following the European Directive on data gathering relatively quickly (however, I was surprised to see that Boo had allegedly sold its customers list to FashionMall as part of its divestiture, leaving a huge question mark on the legality of the matter).

As a quick reference point, here are a few questions that web site operators should ask themselves:

Do we have a privacy policy and is it posted?

Does it provide information on every piece of data we collect? (for example, a number of privacy policies do not cover use of cookies, server logs, or emails send to an address on the site)

Do we give consumers a chance to opt-out of that data gathering? If not, can we? If so, do we provide the necessary tools to do so (web-forms or email address)?

Do we give users a chance to correct personal information we have gathered about them and select whether they want us to use it in the future? Do we cover every scenario under which that personal information will be used?

Have we audited our site to make sure that the information is stored securely?

Let me address each of those points in more details.

Privacy policies

: the first thing in drafting a privacy policy is to involve the lawyers (I know that may sound stupid but I know of a couple of corporate web sites where that job was left up to the webmaster). While the lawyers are involved, however, a good privacy policy should be easy to understand so skip a lot of the legalese and explain your policy in plain English (think of it as a marketing piece: the message you are sending here is “we understand your concerns about privacy and here is how we are answering them”).

Opting out or correcting data

: Most web sites keep the consumer data in a separate database or set of database tables. As part of good netizen behavior, companies should create a user name and password for every user who decides to give them data. Among some of the tools you would provide to that user are: a form where the data they have submitted is listed and where they can make corrections. Furthermore, a second page should be offered to allow users to opt out of different marketing options (for example, a user could choose to opt into receiving snail mail special offers but not email ones). However, as part of these opt-out options, you should add some value to your data. If a consumer is willing to give you their snail mail address for marketing purpose, you could offer them certain special discounts on products. This could include discounts within your own store as well as on other web sites (example: imagine your online electronics store wants to share data about users who have recently bought a stereo system with a web site that offers music CDs for sale. As a way to entice customers to agree to your selling their name to another web site, they could receive a discount on CDs on that other web site).

Data audit

: The recent news about hotmail passing email addresses in the URL field showed that user data can sometimes leak out without your planning on it. Instead of passing such precise identifier, user a customer ID in the URL field. That ID remains unknown to outside web sites but allows you to personalize the user’s experience. A check of all the personalization features on your site should reveal such problems. Fix them before the news goes out. I had noticed the email address in a URL problem with Hotmail and sent them an email about three weeks ago but never heard back from them. Last week, I read about it on the front page of Cnet’s News.com. I’m not sure of whether my email went to the wrong person at Hotmail or to a mailbox that did not get read much but my feeling about seeing this pop up on the front page of a leading tech news site made me feel that data handling at Hotmail was sloppy at best.

Either way you handle it, the data privacy debate will not stop. You can choose to bury your head in the sand but ultimately, it will have to be dealt with. Why not lead the charge and ensure that you are in compliance before you are forced to do so?